International data strategy can be driven by a multitude of political, economic and legislative issues. ODI’s Senior Policy Advisor Lawrence Kay highlights how Australia’s evolving approach demonstrates this
How should countries develop data-sharing relationships with each other? There are enormous flows of data across the world, but because the information they convey is often sensitive – for personal, commercial, political, or national security reasons – national policymakers are faced with questions of how to govern them. And making that coherent is the essence of international data strategy.
Data privacy standards are an issue in data sharing wherever it takes place. Harvard’s Belfer Center recently said that information is now the world’s most contested resource and that ‘democracies remain fundamentally unprepared for strategic competition in the Information Age.’ As the ODI discussed in 2018, many of these changes are being pushed by the development of China’s Belt and Road Initiative.
Data sharing governance
We have been considering the trade and economic aspects of international data strategy through our project on data infrastructure for trade competitiveness. And to do that we’ve been interested in the choices faced by Australia. Australia is advanced in domestic data governance terms, has had an impressive run of economic growth over the past few decades, and is ranked 34th on the DHL Global Connectedness Index.
This level of economic connectivity means that Australia has a range of options about how to align its data sharing across the governance of what Canada’s Center for International Governance Innovation has called the ‘four internets’: Silicon Valley’s Open Internet; Brussel’s Bourgeois Internet; Beijing’s Authoritarian Internet; and Washington DC’s Commercial Internet.
Free trade agreements
Some of Australia’s choices can be seen in the range of free trade agreements (FTAs) that it has signed in recent years. The country is 16th on the Global Competitiveness Index and has sought to improve its access to key markets in its neighbourhood and the wider world through FTAs with China, Korea, Japan and Malaysia between 2013 and 2015; and in 2018 joined ten other countries in signing the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP).
Ten of Australia’s FTAs contain chapters on e-commerce, with those chapters carrying prohibitions on things like applying customs duties to electronic trading, the disclosure of source code, and the localisation of computer facilities. Australia’s Department of Foreign Affairs and Trade has made protecting personal information from unauthorised disclosure and fostering cross-border data transfers two of its main objectives.
The Data Spectrum
As Australia pursues these objectives it has, like any other country, to make choices over closed, shared, and open data – illustrated on the ODI’s Data Spectrum – at domestic and international levels. At domestic level, these choices affect firms’ and entrepreneurs’ access to data collected in Australia, and hence some of the material for creating competitive goods and services.
The impact of whether data is closed, shared or open is recognised in Australia’s Productivity Commission’s 658-page report, ‘Data Availability and Use’, and is a key consideration for the Office of the National Data Commissioner, the body responsible for streamlining how public sector data is used and shared.
Graphic from the Australian government’s Office of the National Data Commissioner, showing closed, shared and open data
At the international level, Australia’s domestic governance regime interfaces with foreign ones, shaping the ease with which its companies can share data with their peers abroad.This interface also shapes mutual access across borders for research and innovation – with the ‘Data Availability and Use’ report recognising cross-border transfer as central to Australia’s data debate.
But Australia can’t just declare its data policy choices and leave things there – the law is only as effective as its enforcement. As the World Wide Web Foundation noted, implementation and compliance are key to getting any such law to work.
Australia uses a ‘a mix of federal, state and territory laws’ according to the law firm, DLA Piper, to manage data privacy and data protection, and hence the immediate domestic boundaries between closed and shared data. In 2017 it announced the introduction of the Consumer Data Right, raising consumers’ access to, and control over, data about them, starting in the banking, energy, and telecommunications sectors. The changes – brought about through the ‘Treasury Laws Amendment (Consumer Data Right) 2018 Bill’ – are about increasing the ability of consumers to make informed choices, making it easier for them to switch between companies, thereby boosting competition and consumer welfare.
Data portability and data institutions
Data portability has been recommended in a range of reports – such as the United Kingdom’s (UK’s)’s ’Unlocking digital competition’ – as a way to increase data sharing and hence competition in digital markets, but the Australian Competition and Consumer Commission recently argued that it would not have many short-to-medium-term benefits.
As countries like the UK move into defining the boundaries of data sharing so that parties are more able to innovate with information – such as through data trusts and other data institutions – Australia has created organisations like Data61, which has been working on the technology, data governance, and institutional aspects of raising trust in data use across projects with social and economic aims in Australia.
But when it comes to the interface between Australia’s domestic rules and the data sharing choices made by other countries, how much does the country have to gain? The Export Council of Australia has argued that free data flows across borders are an imperative if Australia is to maximise its opportunities in digital trade, which is currently worth
A$43bn to the domestic economy, making it the country’s fourth-biggest export sector. But according to the European Centre for International Political Economy, while Australia’s domestic regulations for international data sharing are more inhibiting than many of its peers, easing them would have comparatively small effects on its services sector.
Australia’s biggest international commitments to developing trusted data sharing with key partners have been in its immediate neighbourhood. The country is part of the Asia-Pacific Economic Cooperation (APEC) forum, and officially became a part of APEC’s Cross-Border Privacy Rules (CBPR) system in late 2018. Participating businesses within Australia have since been required to develop and implement data privacy policies aligned to the APEC Privacy Framework. With this system in place, businesses have been able to use the CBPR system to facilitate cross-border data transfers.
Data sharing further afield
Australia does not have adequacy status under GDPR. Article 45 of Regulation (EU) 2016/679 states that the European Commission determines whether a country outside of the EU will offer ‘adequate’ data protection to any EU data. To make that judgement, the Commission considers the rule of law in a country, and the existence of independent, supervisory authorities for upholding GDPR principles. There are 11 countries or territories who have reached full adequacy status as a third country, with Canada and the United States being given partial status.
Australia’s attitude to the encryption of electronic communications has faced resistance from its international partners, including large companies and civil society groups in the US. Australia’s 2018 Telecommunications and Other Legislation Amendment (Assistance and Access) Act empowers intelligence and law enforcement agencies to compel access to end-to-end encrypted digital communications. According to the Carnegie Endowment for International Peace, Australia’s approach has been inspired by its Five Eyes intelligence partners but has gone further than many of them by giving communications companies the freedom to acquire more interception capacity, and demanding that compliance applies to companies abroad. They also say the law has been ‘written without reference to the supposed importance of trust in Australia’s cyber products.’
Principles-based data sharing?
As this short review shows, Australia has found it easier to agree to data sharing conditions with partners in APEC than ones in the EU, albeit while facing the unique demands that come with being part of Five Eyes. But is that because it was easier to coordinate in APEC than align with the EU, or the fact that Australia’s services exports to the 21 APEC members are worth about five times more than what it sells to the 27 countries of the EU?
As Australia considers its data sharing relationships with key allies and trading partners, it will create further definition between the boundaries of closed data, shared data, and open data, subject to international cooperation – or, as a discussion paper by the Australian government put it, legislation for sharing or private and public sector data will be ‘principles-based, allowing them to adapt as the technological and legal environment evolves.’